lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <41520.10.10.10.7.1052553586.squirrel@webmail.linuxpowered.net>
From: fulldisclosure at aphroland.org (nate)
Subject: Hotmail & Passport (.NET Accounts) Vulnerability

David Vincent said:

> ...why?  is this a fame thing or are you worried that ppl aren't getting
> credit for the vulns they discover and therefore don't have the
> intellectual property over said vulns?

I coulda swore I read somewhere(maybe it was just an opinion), perhaps
sometime last year, MS started trying to crack down more on disclosures,
wanting people to "co-operate" more(even if it meant waiting 2-3-4
months for them to come up with a fix), and would only give "credit"
to those parties that "co-operated" with them in that manor. which
is their right, I don't care either way(I don't use their products
anyways).

I've noticed at least some of the MS-related security reports seemed
to have rather large gaps of time between notification and announcement
of available fixes(weeks, months ..).

I personally would prefer a more full disclosure stance from vendors
(even open source ones) at least announcing that there is a severe
problem with app X, and the vendor advises restricting access to it
or shutting it down. e.g. the SSH root exploit last year there was a
big uproar about it, my linux distribution(debian), was forced to
release new versions of the package when infact the version of SSH
that shipped with the product WAS NOT VULNERABLE(the affected features
did not exist in that version of OpenSSH). The security folk didn't
have the information they needed to determine what the problem was.

On a similar note, a couple years ago there was a buncha advisories
that came out for various ftp servers with regards to "globbing"
(the ls */*/*/* bug), debian's port of the openbsd-ftp server
remained vulnerable for probably nearly a year without so much as
a peep out of the security team. I emailed them several times and
conversed directly with a couple debian developers, at least they
could of issued an advisory NOT to use that particular package until
a fix was available(there are many alternative ftp servers afterall),
but there was silence. Their response to me was the problem was
in glibc and they were working on a fix for glibc which would fix
it, but there was some sort of holdup for the fix. Though I would
much rather know a package is vulnerable even if it may not be
fixed for 3-4 months so I can stop using it, or at least severely
restrict access to the port and monitor it much closer then otherwise
would be spent monitoring it.

Even if it means updating a security advisory several times, I'd love
to see a system that notified immediately upon discovery, and then
tracked the status of the fix until it is made available(at least for
patches that would take longer then 24 hours to release). Anyone
know if MS has ever gotten a patch out in less then 24 hours from
notification? I remember reading Samba's response to their most
recent troubles I think Jermey Allison(sp?) said they had fixes
to the bugs within 2 hours of being notified or something like that
though they waited 48-72 hours to give their vendors time to prepare
"packaged" fixes before making a formal announcement.


nate




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ